Squid (correctly) inserts Via and X-Forwarded-For headers into requests that it is proxying. However, in the case of encrypted traffic, the server and client are expecting the traffic to reach the other end as-is, since usually this could not be intercepted. With SSL bumped requests this is no longer true - the proxy can (and does) modify the traffic, by inserting these headers. So I'm asking the question: is this behavior considered desirable, or should we be attempting to modify the request as little as possible for compatibility reasons? I've just come across a web server that throws its toys out of the pram when it sees a Via header in an HTTPS request, and unfortunately it's quite a big one - Yahoo. See this request: ----- GET /news/degrees-lead-best-paid-careers-141513989.html HTTP/1.1 Host: uk.finance.yahoo.com Via: 1.1 HTTP/1.1 301 Moved Permanently Date: Tue, 04 Nov 2014 09:55:40 GMT Via: http/1.1 yts212.global.media.ir2.yahoo.com (ApacheTrafficServer [c s f ]), http/1.1 r04.ycpi.ams.yahoo.net (ApacheTrafficServer [cMsSfW]) Server: ATS Strict-Transport-Security: max-age=172800 Location: https://uk.finance.yahoo.com/news/degrees-lead-best-paid-careers-141513989.html Content-Length: 0 Age: 0 Connection: keep-alive ----- Compare to: ----- GET /news/degrees-lead-best-paid-careers-141513989.html HTTP/1.1 Host: uk.finance.yahoo.com HTTP/1.1 200 OK ... ----- Note that the 301 that they return when a Via header is present just points back at the same URI, so the client never gets the object it requested. For now I have worked around it with: request_header_access Via deny https request_header_access X-Forwarded-For deny https But it does make me wonder if inserting the headers into bumped traffic is a sensible thing to do. -- - Steve Hill Technical Director Opendium Limited http://www.opendium.com Direct contacts: Instant messager: xmpp:steve@xxxxxxxxxxxx Email: steve@xxxxxxxxxxxx Phone: sip:steve@xxxxxxxxxxxx Sales / enquiries contacts: Email: sales@xxxxxxxxxxxx Phone: +44-1792-825748 / sip:sales@xxxxxxxxxxxx Support contacts: Email: support@xxxxxxxxxxxx Phone: +44-1792-824568 / sip:support@xxxxxxxxxxxx _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
